Contact

Zappos sticks to its values in communicating customer database breach

Zappos is a social media darling. The company’s adoption of Twitter, its encouragement of employees to engage online openly during work and CEO Tony Hsieh’s commitment to social channels are all trotted out regularly in articles, books and talks. I’m as gung-ho on Zappos’ use of social media as anybody.

One test remained, however. All of Zappos’ social activities have so far been employed in pursuit of brand building and reputation by linking those activities to the company’s customer service-focused values. But how would the company do when faced with something negative, bad publicity if not an outright crisis?

By midday today, it’s clear that the company is sticking to its values even when dealing with bad news.

A cyberattack on Zappos’ servers allowed hackers to access 24 million customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of their credit card numbers and their encrypted passwords. Zappos isn’t the first company plagued by such attacks. Sony’s Playstation unit is just one example, but a particularly notable one given the company’s jaw-droppingly awful efforts to inform customers of the breach, then keep them updated.

Zappos, on the other hand, was forthcoming and transparent. The attack occurred Sunday, January 15. Hsieh sent an email to employees that day alerting them to the attack and sharing with them the email that would be sent to customers. That email to employees was posted to a public Zappos site. The customer email included a link to a page that provides instructions on how to reset your password. (Zappos expired and reset passwords before sending out the email.) The company also set up an email address for customers with additional questons—.(JavaScript must be enabled to view this email address)—and included it on the password change page.

Both pages were up on Sunday, the day of the attack.

Hsieh’s publicly-disclosed message to employees was also an example of striking the right tone in a social world. “We’ve spent over 12 years building our reputation, brand, and trust with our customers,” he wrote. “It’s painful to see us take so many steps back due to a single incident.” And the public had full view of Hsieh’s instructions for “all employees at our headquarters, regardless of department, to help with assisting customers.”

Zappos shut down its phone system, opting to handle all inquiries during the early stages of the crisis by email. “If 5% of our customers call,” he said, “that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.” Again, this information wasn’t hidden inside the company’s firewall, but disclosed on the “Security Email” page of its website.

The company linked to the Security Email page from its Twitter account and its Facebook wall, where comments of distress got responses from the company, right alongside comments of support like “I love zappos! Their service is excellent, I’m sure they’ll take care of the issue and hopefully we can go back to normal soon. I hate stupid hackers.”

The only thing I might have added to this quickly-adopted communication strategy is a notice on the home page and a reference on at least one of Zappos’ blogs (Hsieh’s blog hasn’t been updated since December 20).

But these are just nits. The result of Zappos’ nimble addressing of the issue is media coverage that mostly reports on the company’s public response rather than the severity of the breach.

According to the free social media monitoring service SocialMention, Zappos is being referenced every 14 seconds, and positive sentiment is running 8:1. Even if you account for the unreliability of sentiment engines (which has a tough time with sarcasm and cynicism), that’s a strikingly positive outcome given the circumstances. (Most of the mentions are neutral as people share links to articles and other resources.) And Zappos is engaging with those who take to social media, as in this example:

The loss of confidential customer data is never good. Certainly questions will arise about the security of such data in the wake of the attack. I suspect Zappos, based on their record, will be upfront about this, too. What’s important to remember in this case, though, is that the public is risk-averse. Zappos’ response was about as good as it could be under the circumstances in addressing the risk. That’ll go a long way toward restoring customer confidence in the organization.

Comments

1.That's all fine and good, and it's wonderful Zappos is still a media darling. The question I have is... where, as a long-time Zappos customer, is my email informing me of this breach?? If I hadn't happened to see this article posted by an FB friend, I wouldn't have known about this. Checked my email folders - nada, not even in junk mail. Checked with several friends & family members & they haven't received an email either. So I would say they have done a great PR job, but not that great in terms of informing customers. :(

Long-Time Zappos Customer | January 2012 | Las Vegas, NV

2.Sorry you didn't get your notification yet! The emails are being sent out in batches. 24+ million is a lot to send out. Everyone is welcome to reset their passwords at any time.

3.Funny, I had the same experience. I knew to reset my password because a friend Tweeted about it, and saw the note on the Zappos home page when it went online yesterday, but I heard nothing from Zappos until I received the email at 4 a.m. E astern today.

4.Yeah, me too. Saw it on facebook from a friend that works there. Never got an email informing me of it.

Greg | January 2012

5.Absurd that Zappos would congratulate itself on transparency based on a communique with its employees. It needed to send an email of apology to customers (I am a longtime customer who might not continue the relationship). It did not. Bad crisis PR.

brad | January 2012

6.Brad, I respectfully disagree. First, Zappos isn't congratulating itself; I've heard no messages of self-congratulation. It's me who's complimenting the organization on its communication. Second, an email DID go out to customers. While I got mine several days after the event, they did communicate directly. If you're a customer, you should have received one.

Based on the standards of crisis communication, it's my view that Zappos did pretty good. Not perfect, but pretty good.